From b53c1158e477f615eb9c83e3ee147e8ccaa84f2c Mon Sep 17 00:00:00 2001 From: Nikhil Kumar Date: Fri, 28 Oct 2022 16:10:39 +0100 Subject: Allow admin user's app with system UID to access blob store. BlobStore APIs are restricted to be only consumed by the admin user's app with system uid. Right now there is only one admin user which is user 0 and for user 0 both the appId and callingUid are same. So even with callingUid, the existing check works well. With the new headless mode, there can be several Admin users, and any Admin user's app with a system uid can call BlobStoreManager APIs. But the appId and callingUid have different values on other(except user 0) amdin users' apps. callingUid = userId + "0" + appId Refactored the restriction to use appId instead of callingUid to match with SYSTEM_UID and added an additional check to ensure that the calling user is an admin user. Removed unused callingUid param in internal method. Bug: 256119753 Test: atest --test-mapping apex/blobstore Change-Id: I6717cb8ebeb263c911e3caae924b7c3935e58778 --- .../server/blob/BlobStoreManagerService.java | 28 +++++++++++++--------- 1 file changed, 17 insertions(+), 11 deletions(-) (limited to 'apex/blobstore') diff --git a/apex/blobstore/service/java/com/android/server/blob/BlobStoreManagerService.java b/apex/blobstore/service/java/com/android/server/blob/BlobStoreManagerService.java index 9ac3e412b1e4..9d363c806f5f 100644 --- a/apex/blobstore/service/java/com/android/server/blob/BlobStoreManagerService.java +++ b/apex/blobstore/service/java/com/android/server/blob/BlobStoreManagerService.java @@ -80,6 +80,7 @@ import android.os.Process; import android.os.RemoteCallback; import android.os.SystemClock; import android.os.UserHandle; +import android.os.UserManager; import android.util.ArrayMap; import android.util.ArraySet; import android.util.AtomicFile; @@ -619,7 +620,7 @@ public class BlobStoreManagerService extends SystemService { return blobInfos; } - private void deleteBlobInternal(long blobId, int callingUid) { + private void deleteBlobInternal(long blobId) { synchronized (mBlobsLock) { mBlobsMap.entrySet().removeIf(entry -> { final BlobMetadata blobMetadata = entry.getValue(); @@ -1612,10 +1613,7 @@ public class BlobStoreManagerService extends SystemService { @Override @NonNull public List queryBlobsForUser(@UserIdInt int userId) { - if (Binder.getCallingUid() != Process.SYSTEM_UID) { - throw new SecurityException("Only system uid is allowed to call " - + "queryBlobsForUser()"); - } + verifyCallerIsSystemUid("queryBlobsForUser"); final int resolvedUserId = userId == USER_CURRENT ? ActivityManager.getCurrentUser() : userId; @@ -1629,13 +1627,9 @@ public class BlobStoreManagerService extends SystemService { @Override public void deleteBlob(long blobId) { - final int callingUid = Binder.getCallingUid(); - if (callingUid != Process.SYSTEM_UID) { - throw new SecurityException("Only system uid is allowed to call " - + "deleteBlob()"); - } + verifyCallerIsSystemUid("deleteBlob"); - deleteBlobInternal(blobId, callingUid); + deleteBlobInternal(blobId); } @Override @@ -1716,6 +1710,18 @@ public class BlobStoreManagerService extends SystemService { return new BlobStoreManagerShellCommand(BlobStoreManagerService.this).exec(this, in.getFileDescriptor(), out.getFileDescriptor(), err.getFileDescriptor(), args); } + + /** + * Verify if the caller is an admin user's app with system uid + */ + private void verifyCallerIsSystemUid(final String operation) { + if (UserHandle.getCallingAppId() != Process.SYSTEM_UID + || !mContext.getSystemService(UserManager.class) + .isUserAdmin(UserHandle.getCallingUserId())) { + throw new SecurityException("Only admin user's app with system uid" + + "are allowed to call #" + operation); + } + } } static final class DumpArgs { -- cgit v1.2.3-59-g8ed1b